Permit.io has launched FoAz which enables frontend developers to take access controls into their own hands. Short for frontend-only authorization, FoAz is a technology that empowers frontend developers to use sensitive APIs directly from the frontend, without requiring any backend code, while maintaining the highest level of security.
“The frontend runs on the user’s browser which is inherently insecure,” said Or Weis, CEO of Permit.io.
“Until today, each time a frontend app requires access controls – say only paid users can send an invoice via Stripe or an SMS via Twilio – they have to bother a backend engineer to write the glue-code. FoAz offers backendless permissions that fulfills the promise of shift-left security, empowering frontend developers to deploy features autonomously without sacrificing the integrity of their security posture,” Weis continued.
As more things continue to shift left to the frontend, security must catch up. With FoAz, frontend developers can add permissions to existing services that don’t already have an authorization layer in place, require better policy models (e.g. RBAC), or need enhanced access granularity.
FoAz is built on top of the open source project OPAL, which acts as the administration layer for the popular Open Policy Agent (OPA). OPAL brings open policy up to the speed needed by live applications: as an application state changes via APIs, databases, git, Amazon S3 and other 3rd-party SaaS services, OPAL makes sure in real-time every microservice is in sync with the policies and data required by the application.
FoAz leverages the low-code interfaces of Permit.io – especially the Permit Policy Editor – which generates policy as code. This allows the easy creation of frontend access policies and removes the need to write one for each frontend need.
- No code / Low code policy interfaces: FoAz is powered by policy as code (with OPA and Cedar). Combined with Permit’s policy-editor UI, policy creation becomes simple yet powerful, generating policy as code from RBAC to ABAC, with as little effort as ticking a few boxes.
- An open standard: FoAz is an open internet standard (available at FoAz.io) enabling more companies to implement, integrate, and share the technology, as well as collaborate with Permit.io on its future development and security posture.
- Backend-as-a-Service: A FoAz proxy is a backend generic component that takes on the authorization burden from all services and empowers the frontend to utilize it directly. Permit.io provides a hosted FoAz offering so engineers can forget about the backend altogether.
- Zero-trust and secrets management: FoAz securely manages secrets (storing them encrypted or in a secure vault) avoiding the need to expose them to the frontend.
“At Novu, we focus on accelerating the work of developers,” said Tomer Barnea, CEO of Novu.co.
“FoAz is a critical step in removing redundant backend glue-code and providing frontend developers with the freedom and power they need to move fast,” Barnea concluded.